We are aware of the issue and are investigating it, and will be issuing a fix for this issue along with any others we discover during our targeted investigation shortly. In the meantime disabling the Mass Payment feature voids the immediate threat.

You can do this by de-selecting the "Enable Mass Payment" checkbox in Setup > General Settings > Invoices and saving.

--Message from WHMCS--- We understand the frustration regarding security that you are having with WHMCS. At WHMCS, it's our desire to take a proactive approach to resolving bugs and preventing security problems in our product. To this point, we have and will continue to conduct both internal and external security audits to further harden and protect our software’s security. While we've been reactive to the recent security problems, it's not how we prefer to operate. The upcoming release of WHMCS, which is currently in beta, will provide over 170 documented bug fixes in our product (http://docs.whmcs.com/Changelog:WHMCS_V5.3).

--Message from WHMCS--- We understand the frustration regarding security that you are having with WHMCS. At WHMCS, it's our desire to take a proactive approach to resolving bugs and preventing security problems in our product. To this point, we have and will continue to conduct both internal and external security audits to further harden and protect our software’s security. While we've been reactive to the recent security problems, it's not how we prefer to operate. The upcoming release of WHMCS, which is currently in beta, will provide over 170 documented bug fixes in our product (http://docs.whmcs.com/Changelog:WHMCS_V5.3).